test: add test that ensures homed logins via SSH work

2024-10-01 13:55:20 +00:00 · 2023-11-28 15:44:41 +01:00 · 2023-11-28 15:44:41 +01:00 · 8349bbdfd8
parent 5c29111337
commit 8349bbdfd8
2 changed files with 86 additions and 0 deletions
--- a/test/TEST-46-HOMED/test.sh
+++ b/test/TEST-46-HOMED/test.sh
@ -21,6 +21,9 @@ test_append_files() {
        install_btrfs
        generate_module_dependencies
    fi
+    inst_binary ssh
+    inst_binary sshd
+    inst_binary ssh-keygen
 }

 do_test "$@"
--- a/test/units/testsuite-46.sh
+++ b/test/units/testsuite-46.sh
@ -314,6 +314,89 @@ for opt in json multiplexer output synthesize with-dropin with-nss with-varlink;
    (! userdbctl "--$opt=foo" "--$opt=''" "--$opt=🐱")
 done

+# FIXME: sshd seems to crash inside asan currently, skip the actual ssh test hence
+if command -v ssh &> /dev/null && command -v sshd &> /dev/null && ! [[ -v ASAN_OPTIONS ]]; then
+
+    at_exit() {
+        systemctl stop mysshserver.socket
+        rm -f /tmp/homed.id_rsa /run/systemd/system/mysshserver.socket /run/systemd/system/mysshserver@.service
+        systemctl daemon-reload
+        homectl remove homedsshtest ||:
+        mv /etc/pam.d/sshd.save46 mv /etc/pam.d/sshd
+    }
+
+    trap at_exit EXIT
+
+    # Test that SSH logins work with delayed unlocking
+    ssh-keygen -N '' -C '' -t rsa -f /tmp/homed.id_rsa
+    NEWPASSWORD=hunter4711 homectl create \
+                       --disk-size=min \
+                       --luks-discard=yes \
+                       --luks-pbkdf-type=pbkdf2 \
+                       --luks-pbkdf-time-cost=1ms \
+                       --enforce-password-policy=no \
+                       --ssh-authorized-keys=@/tmp/homed.id_rsa.pub \
+                       --stop-delay=0 \
+                       homedsshtest
+
+    mkdir -p /etc/ssh
+    test -f /etc/ssh/ssh_host_rsa_key || ssh-keygen -t rsa -C '' -N '' -f /etc/ssh/ssh_host_rsa_key
+
+    # ssh wants this dir around, but distros cannot agree on a common name for it, let's just create all that are aware of distros use
+    mkdir -p /usr/share/empty.sshd /var/empty /var/empty/sshd
+
+    mv /etc/pam.d/sshd /etc/pam.d/sshd.save46
+
+    cat > /etc/pam.d/sshd <<EOF
+auth    sufficient pam_unix.so nullok
+auth    sufficient pam_systemd_home.so
+auth    required   pam_deny.so
+account sufficient pam_systemd_home.so
+account sufficient pam_unix.so
+account required   pam_permit.so
+session optional   pam_systemd_home.so
+session optional   pam_systemd.so
+session required   pam_unix.so
+EOF
+
+    cat >> /etc/ssh/sshd_config <<EOF
+AuthorizedKeysCommand /usr/bin/userdbctl ssh-authorized-keys %u
+AuthorizedKeysCommandUser root
+UsePAM yes
+AcceptEnv PASSWORD
+LogLevel DEBUG3
+EOF
+
+    cat > /run/systemd/system/mysshserver.socket <<EOF
+[Socket]
+ListenStream=4711
+Accept=yes
+EOF
+
+    cat > /run/systemd/system/mysshserver@.service <<EOF
+[Service]
+ExecStart=-/usr/sbin/sshd -i -d -e
+StandardInput=socket
+StandardOutput=socket
+StandardError=journal
+EOF
+
+    systemctl daemon-reload
+    systemctl start mysshserver.socket
+
+    userdbctl user -j homedsshtest
+
+    ssh -t -t -4 -p 4711 -i /tmp/homed.id_rsa -o "SetEnv PASSWORD=hunter4711" -o "StrictHostKeyChecking no" homedsshtest@localhost echo zzz | tail -n 1 | tr -d '\r' > /tmp/homedsshtest.out
+    cat /tmp/homedsshtest.out
+    test "$(cat /tmp/homedsshtest.out)" = "zzz"
+    rm /tmp/homedsshtest.out
+
+    ssh -t -t -4 -p 4711 -i /tmp/homed.id_rsa -o "SetEnv PASSWORD=hunter4711" -o "StrictHostKeyChecking no" homedsshtest@localhost env
+
+    wait_for_state homedsshtest inactive
+    homectl remove homedsshtest
+fi
+
 systemd-analyze log-level info

 touch /testok